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(54) Method and apparatus for activating alternative virtual private network protocols 



(57) A method and apparatus for enabling enterprise 
customers to detect VPN protocol blocking by access 
network providers and provides client VPN software with 
instructions to activate another VPN protocol such as Se- 
cure Socket Layer (SSL) that is less likely to be blocked 
by their provider are disclosed- For instance, if the access 
network provider blocks the IPSec VPN protocol, the cli- 



ent VPN software will switch to an alternative VPN pro- 
tocol, such as Secure Socket Layer (SSL) protocol, Layer 
2Tunneling Protocol (L2TP), or Point-to- Point Tunneling 
Protocol (PPTP), to connect to the VoIP network. The 
SSL, L2TP, and PPTP protocols are all VPN protocols 
designed to enable encrypted and authenticated com- 
munications across the public Internet. 
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Description 

[0001 ] The present invention relates generally to com- 
munication networks and, more particularly, to a method 
and apparatus for activating alternative Virtual Private $ 
Network (VPN) protocols in accessing communication 
networks, e.g., packet networks such as Voice over In- 
ternet Protocol (VoIP) networks. 

BACKGROUND OF THE INVENTION 1Q 

[0002] For security reasons, remote workers access 
their corporate sites and Vol P services through VPN tun- 
nels using IP Security (IPSec) VPN protocols. Broadband 
access network providers will frequently block the I PSec 15 
protocol unless users are subscribed to arrangements 
that frequently charge the subscribers twice the price of 
regular residential subscriptions with no added value. 
IPSec is a security protocol defined by the IETF (Internet 
Engineering Task Force) that provides authentication 20 
and encryption over the public Internet. A VPN protocol 
is designed to enable encrypted and authenticated com- 
munications across the public Internet. 
[0003] Therefore, a need exists for a method and ap- 
paratus for activating alternative Virtual Private Network 25 
(VPN) protocols in accessing a packet network, e.g., a 
VoIP network. 

SUMMARY OF THE INVENTION 

30 

[0004] In one embodiment, the present invention en- 
ables enterprise customers to detect VPN protocol block- 
ing by access network providers and provides client VPN 
software with instructions to activate another VPN pro- 
tocol such as Secure Socket Layer (SSL) that is less 35 
likely to be blocked by their provider. For instance, if the 
access network provider blocks the IPSec VPN protocol, 
the client VPN software will switch to an alternative VPN 
protocol, such as Secure Socket Layer (SSL) protocol, 
Laye r 2 Tu nn e lingProtoco I (L2TP), or Point-to- Point Tun- 40 
neling Protocol (PPTP) and the like, to connect to the 
VoIP network. The SSL, L2TP, and PPTP protocols are 
all VPN protocols designed to enable encrypted and au- 
thenticated communications across the public Internet. 

45 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0005] The teaching of the present invention can be 
readily understood by considering the following detailed 
description in conjunction with the accompanying draw- so 
ings, in which: 

[0006] FIG. 1 illustrates an exemplary Voice over In- 
ternet Protocol (VoIP) network related to the present in- 
vention; 

[0007] FIG. 2 illustrates an example of using Virtual 55 
Private Network (VPN) protocols in a VoIP network re- 
lated to the present invention; 

[0008] FIG. 3 illustrates a flowchart of a method for 



activating alternative Virtual Private Network (VPN) pro- 
tocols in a VoIP network of the present invention; and 
[0009] FIG. 4 illustrates a high level block diagram of 
a general purpose computer suitable for use in perform- 
ing the functions described herein. 
[0010] To facilitate understanding, identical reference 
numerals have been used, where possible, to designate 
identical elements that are common to the figures. 

DETAILED DESCRIPTION 

[0011] To better understand the present invention, 
FIG. 1 illustrates a communication architecture 100 hav- 
ing an example network, e.g., a packet network such as 
a VoIP network related to the present invention. Exem- 
plary packet networks include internet protocol (IP) net- 
works, asynchronous transfer mode (ATM) networks, 
frame-relay networks, and the like. An IP network is 
broadly defined as a network that uses Internet Protocol 
to exchange data packets. Thus, a VoIP network or a 
SolP (Service over Internet Protocol) network is consid- 
ered an IP network. 

[0012] In one embodiment, the VoIP network may 
comprise various types of customer endpoint devices 
connected via various types of access networks to a car- 
rier (a service provider) VoIP core infrastructure over an 
Internet Protocol/Multi- Protocol Label Switching (IP/ 
MPLS) based core backbone network. Broadly defined, 
a VoIP network is a network that is capable of carrying 
voice signals as packetized data over an IP network. The 
present invention is described below in the context of an 
illustrative VoIP network. Thus, the present invention 
should not be interpreted to be limited by this particular 
illustrative architecture. 

[0013] The customer endpoint devices can be either 
Time Division Multiplexing (TDM) based or IP based. 
TDM based customer endpoint devices 122, 123, 134, 
and 135 typically comprise of TDM phones or Private 
Branch Exchange (PBX). IP based customer endpoint 
devices 144 and145 typically comprise IP phones or IP 
PBX. The Terminal Adaptors (TA) 132 and 133 are used 
to provide necessary interworking functions between 
TDM customer endpoint devices, such as analog 
phones, and packet based access network technologies, 
such as Digital Subscriber Loop (DSL) or Cable broad- 
band access networks. TDM based customer endpoint 
devices access VoIP services by using either a Public 
Switched Telephone Network (PSTN) 120, 121 or a 
broadband access network via a TA 132 or 133. IP based 
customer endpoint devices access VoIP services by us- 
ing a Local Area Network (LAN) 1 40 and 1 41 with a VoIP 
gateway or router 142 and 143, respectively. 
[0014] The access networks can be either TDM or 
packet based. A TDM PSTN 1 20 or 1 21 is used to support 
TDM customer endpoint devices connected via tradition- 
al phone lines. A packet based access network, such as 
Frame Relay, ATM, Ethernet or IP, is used to support IP 
based customer endpoint devices via a customer LAN, 
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e.g., 140 with a VoIP gateway and router 142. A packet 
based access network 1 30 or 1 31 , such as DSL or Cable, 
when used together with a TA 132 or 133, is used to 
support TDM based customer endpoint devices. 
[001 5] The core VoIP infrastructure comprises of sev- 
eral key VoIP components, such the Border Element (BE) 
1 12 and 1 13, the Call Control Element (CCE) 1 1 1, and 
VoIP related servers 1 1 4. The BE resides at the edge of 
the VoIP core infrastructure and interfaces with custom- 
ers endpoints over various types of access networks. A 
BE is typically implemented as a Media Gateway and 
performs signaling, media control, security, and call ad- 
mission control and related functions. The CCE resides 
within the VoIP infrastructure and is connected to the 
BEs using the Session Initiation Protocol (SIP) over the 
underlying IP/MPLS based core backbone network 110. 
The CCE is typically implemented as a Media Gateway 
Controller or a Softswitch and performs network wide call 
control related functions as well as interacts with the ap- 
propriate VoIP service related servers when necessary. 
The CCE functions as a SIP back-to-back user agent and 
is a signaling endpoint for all call legs between all BEs 
and the CCE. The CCE may need to interact with various 
VoIP related servers in order to complete a call that re- 
quire certain service specific features, e.g. translation of 
an E. 164 voice network address into an IP address. 
[0016] For calls that originate orterminate in a different 
carrier, they can be handled through the PSTN 120 and 
121 or the Partner IP Carrier 160 interconnections. For 
originating orterminating TDM calls, they can be handled 
via existing PSTN interconnections to the other carrier. 
For originating orterminating VoIP calls, they can be han- 
dled via the Partner IP carrier interface 160 to the other 
carrier. 

[0017] In order to illustrate how the different compo- 
nents operate to support a VoIP call, the following call 
scenario is used to illustrate how a VoIP call is setup 
between two customer endpoints. A customer using IP 
device 1 44 at location A places a call to another customer 
at location Z using TDM device 1 35. During the call setup, 
a setup signaling message is sent from IP device 144, 
through the LAN 1 40, the VoIP Gateway/Router 1 42, and 
the associated packet based access network, to BE 1 1 2. 
BE 1 12 will then send a setup signaling message, such 
as a SIP-INVITE message if SIP is used, to CCE 111. 
CCE 1 1 1 looks at the called party information and queries 
the necessary VoIP service related server 1 1 4 to obtain 
the information to complete this call. If BE 1 13 needs to 
be involved in completing the call; CCE 1 1 1 sends an- 
other call setup message, such as a SIP-INVITE mes- 
sage if SIP is used, to BE 1 13. Upon receiving the call 
setup message, BE 1 1 3 forwards the call setup message, 
via broadband network 1 31 , to TA 1 33. TA 1 33 then iden- 
tifies the appropriate TDM device 135 and rings that de- 
vice. Once the call is accepted at location Z by the called 
party, a call acknowledgement signaling message, such 
as a SIP-ACK message if SIP is used, is sent in the re- 
verse direction back to the CCE 111. After the CCE 1 1 1 



receives the call acknowledgement message, it will then 
send a call acknowledgement signaling message, such 
as a SIP-ACK message if SIP is used, toward the calling 
party. In addition, the CCE 1 1 1 also provides the neces- 
5 sary information of the call to both BE 1 12 and BE 1 13 
so that the call data exchange can proceed directly be- 
tween BE 1 12 and BE 113. The call signaling path 150 
and the call media path 151 are illustratively shown in 
FIG. 1 . Note that the call signaling path and the call media 

w path are different because once a call has been setup 
up between two endpoints, the CCE 1 1 1 does not need 
to be in the data path for actual direct data exchange. 
[0018] Media Servers (MS) 115 are special servers 
that typically handle and terminate media streams, and 

*5 to provide services such as announcements, bridges, 
transcoding, and Interactive Voice Response (IVR) mes- 
sages for VoIP service applications. 
[0019] Note that a customer in location A using any 
endpoint device type with its associated access network 

20 type can communicate with another customer in location 
Z using any endpoint device type with its associated net- 
work type as well. For instance, a customer at location 
A using IP customer endpoint device 144 with packet 
based access network 140 can call another customer at 

25 location Z using TDM endpoint device 123 with PSTN 
access network 1 21 . The BEs 1 1 2 and 1 1 3 are respon- 
sible for the necessary signaling protocol translation, 
e.g., SS7 to and from SIP, and media format conversion, 
such as TDM voice format to and from IP based packet 

30 voice format. 

[0020] For security reasons, remote workers access 
their corporate sites and VoIP services through VPN tun- 
nels using IP Security (IPSec) VPN protocols. Broadband 
access network providers will frequently block the IPSec 

35 protocol unless users are subscribed to arrangements 
that frequently charge the subscribers twice the price of 
regular residential subscriptions with no added value. 
When a particular VPN protocol is blocked by an access 
network provider, subscribers need to be aware of it and 

40 then switch to a different VPN protocol that is not blocked 
by the access network provider. IPSec is a security pro- 
tocol defined by the IETF (Internet Engineering Task 
Force) that provides authentication and encryption over 
the public Internet. A VPN protocol is designed to enable 

45 encrypted and authenticated communications across the 
public Internet. 

[0021 ] To address this criticality, the present invention 
enables enterprise customers to detect VPN protocol 
blocking by access network providers and provides client 

50 VPN software with instructions to activate another VPN 
protocol such as Secure Socket Layer (SSL) that is less 
likely to be blocked by their provider. For instance, if the 
access network provider blocks the IPSec VPN protocol, 
the client VPN software will switch to an alternative VPN 

55 protocol, such as Secure Socket Layer (SSL) protocol, 
Layer2 Tunneling Protocol (L2TP), or Point-to-Point Tun- 
neling Protocol (PPTP) and the like, to connect to the 
VoIP network. The SSL, L2TP, and PPTP protocols are 



3 



5 



EP 1 768 343 A2 



6 



all VPN protocols designed to enable encrypted and au- 
thenticated communications across the public Internet. 
[0022] FIG. 2 illustrates an exemplary communication 
architecture 200 for using Virtual Private Network (VPN) 
protocols in a packet network, e.g., a VoIP network re- 
lated to the present invention. In FIG. 2, in one embodi- 
ment of the present invention, telecommuter 231 via TA 
232 remotely accesses corporate network 240 to perform 
work related activities, including using VoIP services sub- 
scribed by the corporation. Telecommuter 23 1 uses VPN 
protocol via VPN tunnel 221 to securely access corporate 
network 240 through VPN Gateway 241 . VPN tunnel 221 
provides secured communication between telecommut- 
er 231 and VPN Gateway 241 over the public internet 
access network 230 (e.g., an Internet Protocol (IP) net- 
work). In FIG. 2, telecommuter 231 uses the VoIP serv- 
ices subscribed by the corporation via signaling flow 220. 
In on embodiment, BE 212 can actively detects and de- 
termines the VPN protocols blocked by access network 
230. Common VPN protocol used are, but not limited to, 
IPSec, SSL, PPTP, and L2TP protocols. If BE 212 has 
determined that access network 230 is blocking the 
IPSec protocol, BE 21 2 will signal the VPN client software 
used by telecommuter 231 to use an alternative protocol, 
such as SSL, that is not blocked by access network 230. 
Using the SSL protocol, telecommuter can then connect 
to corporate network 240, using the uninterrupted sign- 
aling 220, to access the subscribed VoIP services. If SSL 
is also blocked, BE 21 2 can attempt to use other available 
VPN protocols, such as L2TP or PPTP, to communicate 
with telecommuter 231 . 

[0023] In FIG. 2, in another embodiment of the present 
invention, telecommuter 233 via TA 234 uses VPN pro- 
tocol via VPN tunnel 222 over access network 230 to 
securely access VoIP services subscribed by the corpo- 
ration that telecommuter 233 works for. VPN tunnel 222 
provides secured communication between telecommut- 
er 233 and VoIP network 210 over the public internet 
access network 230. In FIG. 2, telecommuter 233 uses 
the VoIP services subscribed by the corporation via sig- 
naling flow 223. BE 213 can actively detects and deter- 
mines the VPN protocols blocked by access network 230. 
Common VPN protocol used are, but not limited to, 
IPSec, SSL, PPTP, and L2TP protocols. If BE 213 has 
determined that access network 230 is blocking the 
IPSec protocol, BE213will signal the VPN client software 
used by telecommuter 233 to use an alternative protocol, 
such as SSL, that is not blocked by access network 230. 
Using the SSL protocol, telecommuter can then connect 
to the VoIP network, using the uninterrupted signaling 
223, to access the subscribed VoIP services. If SSL is 
also blocked, BE 213 can attempt to use other available 
VPN protocols, such as L2TP or PPTP, to communicate 
with telecommuter 233. 

[0024] FIG. 3 illustrates a flowchart of a method 300 
for activating alternative Virtual Private Network (VPN) 
protocols in a packet network, e.g., VoIP network of the 
present invention. Method 300 starts in step 305 and pro- 



ceeds to step 31 0. 

[0025] In step 310, the method attempts to initiate a 
VPN tunnel test using a selected VPN protocol to signal 
to an endpoint device by a BE. For example, the testing 

5 may start when an endpoint device signals that it wants 
to establish secured communication. 
[0026] In step 320, the method checks if the selected 
VPN protocol is blocked by the access network. If the 
selected VPN protocol is blocked by the access network, 

10 the method proceeds to step 330; otherwise, the method 
proceeds to step 350. Available VPN protocols that can 
be selected include, but are not limited to, IPSec, SSL, 
L2TP, and PPTP protocols. 

[0027] In step 330, the method checks if all available 
15 VPN protocols have been tested against the access net- 
work. If all available VPN protocols have been exhausted, 
the method proceeds to step 370; otherwise, the method 
proceeds to step 340. 

[0028] In step 340, the method selects the next avail- 
able VPN protocol and proceeds back to step 31 0. 
[0029] In step 350, the method signals to the VoIP end- 
point device to use the selected VPN protocol to establish 
a VPN tunnel. Namely, a VPN protocol has been detected 
that is not being blocked. 

[0030] In step 360, the method activates a VPN tunnel 
between VoIP endpoint device and the corporate net- 
work. 

[0031 ] In step 370, the method alerts the customer that 
all available VPN protocols are blocked by the access 
network. The method ends in step 380. 
[0032] FIG. 4 depicts a high level block diagram of a 
general purpose computer suitable for use in performing 
the functions described herein. As depicted in FIG. 4, the 
system 400 comprises a processor element 402 (e.g., a 
CPU), a memory 404, e.g., random access memory 
(RAM) and/or read only memory (ROM), a module 405 
for activating alternative VPN protocols, and various in- 
put/output devices 406 (e.g., storage devices, including 
but not limited to, a tape drive, a floppy drive, a hard disk 
drive or a compact disk drive, a receiver, a transmitter, 
a speaker, a display, a speech synthesizer, an output 
port, and a user input device (such as a keyboard, a key- 
pad, a mouse, and the like)). 

[0033] It should be noted that the present invention 
can be implemented in software and/or in a combination 
of software and hardware, e.g., using application specific 
integrated circuits (ASIC), a general purpose computer 
or any other hardware equivalents. In one embodiment, 
the present module or process 405 for activating alter- 
native VPN protocols can be loaded into memory 404 
and executed by processor 402 to implement the func- 
tions as discussed above. As such, the present process 
405 for activating alternative VPN protocols (including 
associated data structures) of the present invention can 
be stored on a computer readable medium or carrier, 
e.g., RAM memory, magnetic or optical drive or diskette 
and the like. 

[0034] While various embodiments have been de- 
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scribed above, it should be understood that they have 
been presented by way of example only, and not limita- 
tion. Thus, the breadth and scope of a preferred embod- 
iment should not be limited by any of the above-described 
exemplary embodiments, but should be defined only in 
accordance with the following claims and their equiva- 
lents. 



Claims 

1. A method for selecting a Virtual Private Network, 
VPN, protocol in accessing a communication net- 
work, comprising: 

testing a first VPN protocol from a plurality of 
available VPN protocols to signal to an endpoint 
device by an edge component of said commu- 
nication network over an access network; and 
selecting an alternative VPN protocol from said 
plurality of available VPN protocols to signal to 
said endpoint device by said edge component 
of said communication network over said access 
network if said first VPN protocol is blocked by 
said access network. 



work. 

8. A computer-readable medium having stored thereon 
a plurality of instructions, the plurality of instructions 

5 including instructions which, when executed by a 
processor, cause the processor to perform the steps 
of a method for selecting a Virtual Private Network, 
VPN, protocol in accessing a communication net- 
work, comprising: 

10 

testing a first VPN protocol from a plurality of 
available VPN protocols to signal to an endpoint 
device by an edge component of said commu- 
nication network over an access network; and 
15 selecting an alternative VPN protocol from said 

plurality of available VPN protocols to signal to 
said endpoint device by said edge component 
of said communication network over said access 
network if said first VPN protocol is blocked by 
20 said access network. 

9. The computer-readable medium of claim 8, wherein 
said communication network is a Voice over Internet 
Protocol, VoIP, network or a Service over Internet 

25 Protocol, SolP, network. 



20 



2. The method of claim 1 , wherein said communication 
network is a Voice over Internet Protocol, VoIP, net- 
work or a Service over Internet Protocol, SolP net- 
work. 

3. The method of claim 1 or 2, wherein said access 
network is an Internet Protocol, IP, network. 

4. The method of claim 1, 2 or 3, wherein said edge 
component is a Border Element, BE. 

5. The method of any one of the preceding claims, 
wherein said plurality of available VPN protocols 
comprise at least two of: an IP Security, IP Sec, pro- 
tocol, a Secure Socket Layer, SSL, protocol, a Layer 
2 Tunneling Protocol, L2TP, or a Point-to-Point Tun- 
neling Protocol, PPTP, protocol. 

6. The method of any one of the preceding claims, fur- 
ther comprising: 

using said alternative VPN protocol to establish 
a VPN tunnel over said access network to said 
endpoint device if said alternative VPN protocol 
is not blocked by said access network. 

7. The method of any one of the preceding claims, fur- 
ther comprising: 

sending a notification to a network administrator 
of said endpoint device if all of said plurality of 
VPN protocols are blocked by said access net- 



10. The computer-readable medium of claim 8 or 9, 
wherein said access network is an Internet Protocol, 
IP, network. 

30 

11. The computer-readable medium of claim 8, 9 or 10, 
wherein said edge component is a Border Element, 
BE. 

35 12. The computer-readable medium of any one of claims 
8 to 1 1 , wherein said plurality of available VPN pro- 
tocols comprise at least two of: an IPSecurity, IPSec, 
protocol, a Secure Socket Layer, SSL, protocol, a 
Layer2Tunneling Protocol, L2TP, or a Point-to-Point 

40 Tunneling Protocol, PPTP, protocol. 

1 3. The computer-readable medium of any one of claims 
8 to 12, further comprising: 

45 using said alternative VPN protocol to establish 

a VPN tunnel over said access network to said 
endpoint device if said alternative VPN protocol 
is not blocked by said access network. 

50 14. The computer-readable medium of any one of claims 
8 to 13, further comprising: 

sending a notification to a network administrator 
of said endpoint device if all of said plurality of 
55 VPN protocols are blocked by said access net- 

work. 

15. An apparatus for selecting a Virtual Private Network, 
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VPN, protocol in accessing a communication net- 
work, comprising: 

means for testing a first VPN protocol from a 
plurality of available VPN protocols to signal to 5 
an endpoint device by an edge component of 
said communication network over an access 
network; and 

means for selecting an alternative VPN protocol 
from said plurality of available VPN protocols to w 
signal to said endpoint device by said edge com- 
ponent of said communication network over said 
access network if said first VPN protocol is 
blocked by said access network. 

15 

16. The apparatus of claim 15, wherein said communi- 
cation network is a Voice over Internet Protocol, 
VoIP, network or a Service over Internet Protocol, 
SolP, network. 

20 

17. The apparatus of claim 15 or 16, wherein said access 
network is an Internet Protocol, IP, network. 

18. The apparatus of claim 15, 16 or 17, wherein said 
edge component is a Border Element, BE. & 

1 9. The apparatus of any one of claims 1 5 to 1 8, wherein 
said plurality of available VPN protocols comprise at 
least two of: an IP Security, I PSec, protocol, a Secure 
Socket Layer, SSL, protocol, a Layer 2 Tunneling 30 
Protocol, L2TP, or a Point-to-Point Tunneling Proto- 
col, PPTP, protocol. 

20. The apparatus of any one of claims 1 5 to 1 9, further 
comprising: 35 

means for using said alternative VPN protocol 
to establish a VPN tunnel over said access net- 
work to said endpoint device if said alternative 
VPN protocol is not blocked by said access net- *o 
work. 
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